npm - @tinycloud/node-sdk - Versions diffs - 2.2.0-beta.1 → 2.2.0-beta.10 - Mend

@tinycloud/node-sdk 2.2.0-beta.1 → 2.2.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/core-DcJ27GsA.d.cts +1538 -0
package/dist/core-DcJ27GsA.d.ts +1538 -0
package/dist/core.cjs +906 -183
package/dist/core.cjs.map +1 -1
package/dist/core.d.cts +4 -1423
package/dist/core.d.ts +4 -1423
package/dist/core.js +827 -93
package/dist/core.js.map +1 -1
package/dist/index.cjs +909 -186
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +822 -93
package/dist/index.js.map +1 -1
package/package.json +4 -4

package/dist/core.cjs CHANGED Viewed

@@ -20,70 +20,77 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/core.ts
 var core_exports = {};
 __export(core_exports, {
-  ACCOUNT_REGISTRY_PATH: () => import_sdk_core8.ACCOUNT_REGISTRY_PATH,
-  ACCOUNT_REGISTRY_SPACE: () => import_sdk_core8.ACCOUNT_REGISTRY_SPACE,
-  AutoApproveSpaceCreationHandler: () => import_sdk_core7.AutoApproveSpaceCreationHandler,
-  CapabilityKeyRegistry: () => import_sdk_core14.CapabilityKeyRegistry,
-  CapabilityKeyRegistryErrorCodes: () => import_sdk_core14.CapabilityKeyRegistryErrorCodes,
-  DEFAULT_MANIFEST_SPACE: () => import_sdk_core8.DEFAULT_MANIFEST_SPACE,
-  DEFAULT_MANIFEST_VERSION: () => import_sdk_core8.DEFAULT_MANIFEST_VERSION,
-  DataVaultService: () => import_sdk_core12.DataVaultService,
-  DatabaseHandle: () => import_sdk_core10.DatabaseHandle,
+  ACCOUNT_REGISTRY_PATH: () => import_sdk_core9.ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE: () => import_sdk_core9.ACCOUNT_REGISTRY_SPACE,
+  AutoApproveSpaceCreationHandler: () => import_sdk_core8.AutoApproveSpaceCreationHandler,
+  CapabilityKeyRegistry: () => import_sdk_core15.CapabilityKeyRegistry,
+  CapabilityKeyRegistryErrorCodes: () => import_sdk_core15.CapabilityKeyRegistryErrorCodes,
+  DEFAULT_MANIFEST_SPACE: () => import_sdk_core9.DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION: () => import_sdk_core9.DEFAULT_MANIFEST_VERSION,
+  DataVaultService: () => import_sdk_core13.DataVaultService,
+  DatabaseHandle: () => import_sdk_core11.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
-  DelegationErrorCodes: () => import_sdk_core13.DelegationErrorCodes,
-  DelegationManager: () => import_sdk_core13.DelegationManager,
-  DuckDbAction: () => import_sdk_core11.DuckDbAction,
-  DuckDbDatabaseHandle: () => import_sdk_core11.DuckDbDatabaseHandle,
-  DuckDbService: () => import_sdk_core11.DuckDbService,
+  DelegationErrorCodes: () => import_sdk_core14.DelegationErrorCodes,
+  DelegationManager: () => import_sdk_core14.DelegationManager,
+  DuckDbAction: () => import_sdk_core12.DuckDbAction,
+  DuckDbDatabaseHandle: () => import_sdk_core12.DuckDbDatabaseHandle,
+  DuckDbService: () => import_sdk_core12.DuckDbService,
   FileSessionStorage: () => FileSessionStorage,
-  KVService: () => import_sdk_core9.KVService,
-  ManifestValidationError: () => import_sdk_core8.ManifestValidationError,
+  KVService: () => import_sdk_core10.KVService,
+  ManifestValidationError: () => import_sdk_core9.ManifestValidationError,
   MemorySessionStorage: () => MemorySessionStorage,
   NodeUserAuthorization: () => NodeUserAuthorization,
-  PermissionNotInManifestError: () => import_sdk_core8.PermissionNotInManifestError,
-  PrefixedKVService: () => import_sdk_core9.PrefixedKVService,
-  ProtocolMismatchError: () => import_sdk_core16.ProtocolMismatchError,
-  SQLAction: () => import_sdk_core10.SQLAction,
-  SQLService: () => import_sdk_core10.SQLService,
-  ServiceContext: () => import_sdk_core17.ServiceContext,
-  SessionExpiredError: () => import_sdk_core8.SessionExpiredError,
-  SharingService: () => import_sdk_core13.SharingService,
-  SilentNotificationHandler: () => import_sdk_core7.SilentNotificationHandler,
-  Space: () => import_sdk_core15.Space,
-  SpaceErrorCodes: () => import_sdk_core15.SpaceErrorCodes,
-  SpaceService: () => import_sdk_core15.SpaceService,
-  TinyCloud: () => import_sdk_core6.TinyCloud,
+  PermissionNotInManifestError: () => import_sdk_core9.PermissionNotInManifestError,
+  PrefixedKVService: () => import_sdk_core10.PrefixedKVService,
+  ProtocolMismatchError: () => import_sdk_core17.ProtocolMismatchError,
+  SECRET_NAME_RE: () => import_sdk_core13.SECRET_NAME_RE,
+  SQLAction: () => import_sdk_core11.SQLAction,
+  SQLService: () => import_sdk_core11.SQLService,
+  SecretsService: () => import_sdk_core13.SecretsService,
+  ServiceContext: () => import_sdk_core18.ServiceContext,
+  SessionExpiredError: () => import_sdk_core9.SessionExpiredError,
+  SharingService: () => import_sdk_core14.SharingService,
+  SilentNotificationHandler: () => import_sdk_core8.SilentNotificationHandler,
+  Space: () => import_sdk_core16.Space,
+  SpaceErrorCodes: () => import_sdk_core16.SpaceErrorCodes,
+  SpaceService: () => import_sdk_core16.SpaceService,
+  TinyCloud: () => import_sdk_core7.TinyCloud,
   TinyCloudNode: () => TinyCloudNode,
-  UnsupportedFeatureError: () => import_sdk_core16.UnsupportedFeatureError,
-  VaultHeaders: () => import_sdk_core12.VaultHeaders,
-  VaultPublicSpaceKVActions: () => import_sdk_core12.VaultPublicSpaceKVActions,
-  VersionCheckError: () => import_sdk_core16.VersionCheckError,
+  UnsupportedFeatureError: () => import_sdk_core17.UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE: () => import_sdk_core9.VAULT_PERMISSION_SERVICE,
+  VaultHeaders: () => import_sdk_core13.VaultHeaders,
+  VaultPublicSpaceKVActions: () => import_sdk_core13.VaultPublicSpaceKVActions,
+  VersionCheckError: () => import_sdk_core17.VersionCheckError,
   WasmKeyProvider: () => WasmKeyProvider,
-  buildSpaceUri: () => import_sdk_core15.buildSpaceUri,
-  checkNodeInfo: () => import_sdk_core16.checkNodeInfo,
-  composeManifestRequest: () => import_sdk_core8.composeManifestRequest,
-  createCapabilityKeyRegistry: () => import_sdk_core14.createCapabilityKeyRegistry,
-  createSharingService: () => import_sdk_core13.createSharingService,
-  createSpaceService: () => import_sdk_core15.createSpaceService,
-  createVaultCrypto: () => import_sdk_core12.createVaultCrypto,
+  buildSpaceUri: () => import_sdk_core16.buildSpaceUri,
+  canonicalizeSecretScope: () => import_sdk_core13.canonicalizeSecretScope,
+  checkNodeInfo: () => import_sdk_core17.checkNodeInfo,
+  composeManifestRequest: () => import_sdk_core9.composeManifestRequest,
+  createCapabilityKeyRegistry: () => import_sdk_core15.createCapabilityKeyRegistry,
+  createSharingService: () => import_sdk_core14.createSharingService,
+  createSpaceService: () => import_sdk_core16.createSpaceService,
+  createVaultCrypto: () => import_sdk_core13.createVaultCrypto,
   createWasmKeyProvider: () => createWasmKeyProvider,
   defaultSignStrategy: () => defaultSignStrategy,
-  defaultSpaceCreationHandler: () => import_sdk_core7.defaultSpaceCreationHandler,
+  defaultSpaceCreationHandler: () => import_sdk_core8.defaultSpaceCreationHandler,
   deserializeDelegation: () => deserializeDelegation,
-  expandActionShortNames: () => import_sdk_core8.expandActionShortNames,
-  isCapabilitySubset: () => import_sdk_core8.isCapabilitySubset,
-  loadManifest: () => import_sdk_core8.loadManifest,
-  makePublicSpaceId: () => import_sdk_core15.makePublicSpaceId,
-  parseExpiry: () => import_sdk_core8.parseExpiry,
-  parseSpaceUri: () => import_sdk_core15.parseSpaceUri,
-  resolveManifest: () => import_sdk_core8.resolveManifest,
-  resourceCapabilitiesToSpaceAbilitiesMap: () => import_sdk_core8.resourceCapabilitiesToSpaceAbilitiesMap,
+  expandActionShortNames: () => import_sdk_core9.expandActionShortNames,
+  expandPermissionEntries: () => import_sdk_core9.expandPermissionEntries,
+  expandPermissionEntry: () => import_sdk_core9.expandPermissionEntry,
+  isCapabilitySubset: () => import_sdk_core9.isCapabilitySubset,
+  loadManifest: () => import_sdk_core9.loadManifest,
+  makePublicSpaceId: () => import_sdk_core16.makePublicSpaceId,
+  parseExpiry: () => import_sdk_core9.parseExpiry,
+  parseSpaceUri: () => import_sdk_core16.parseSpaceUri,
+  resolveManifest: () => import_sdk_core9.resolveManifest,
+  resolveSecretPath: () => import_sdk_core13.resolveSecretPath,
+  resourceCapabilitiesToSpaceAbilitiesMap: () => import_sdk_core9.resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation: () => serializeDelegation,
-  validateManifest: () => import_sdk_core8.validateManifest
+  validateManifest: () => import_sdk_core9.validateManifest
 });
 module.exports = __toCommonJS(core_exports);
-var import_sdk_core6 = require("@tinycloud/sdk-core");
 var import_sdk_core7 = require("@tinycloud/sdk-core");
+var import_sdk_core8 = require("@tinycloud/sdk-core");
 // src/storage/MemorySessionStorage.ts
 var MemorySessionStorage = class {
@@ -339,9 +346,9 @@ var NodeUserAuthorization = class {
     this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.spaceCreationHandler = config.spaceCreationHandler;
-    this.tinycloudHosts = config.tinycloudHosts ?? [
-      "https://node.tinycloud.xyz"
-    ];
+    this.tinycloudHosts = config.tinycloudHosts;
+    this.tinycloudRegistryUrl = config.tinycloudRegistryUrl;
+    this.tinycloudFallbackHosts = config.tinycloudFallbackHosts;
     this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.nonce = config.nonce;
     this.siweConfig = config.siweConfig;
@@ -362,6 +369,9 @@ var NodeUserAuthorization = class {
   get capabilityRequest() {
     return this.getCapabilityRequest();
   }
+  get hosts() {
+    return this.tinycloudHosts ? [...this.tinycloudHosts] : [];
+  }
   /**
    * Install or replace the stored manifest. Takes effect on the next
    * `signIn()` call — the current session (if any) is not touched.
@@ -386,6 +396,26 @@ var NodeUserAuthorization = class {
   get tinyCloudSession() {
     return this._tinyCloudSession;
   }
+  async resolveTinyCloudHostsForSignIn(address, chainId) {
+    if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
+      return;
+    }
+    const subject = `did:pkh:eip155:${chainId}:${address}`;
+    const resolved = await (0, import_sdk_core2.resolveTinyCloudHosts)(subject, {
+      registryUrl: this.tinycloudRegistryUrl,
+      fallbackHosts: this.tinycloudFallbackHosts
+    });
+    this.tinycloudHosts = resolved.hosts;
+  }
+  requireTinyCloudHosts() {
+    if (!this.tinycloudHosts || this.tinycloudHosts.length === 0) {
+      throw new Error("TinyCloud hosts have not been resolved. Call signIn() first.");
+    }
+    return this.tinycloudHosts;
+  }
+  get primaryTinyCloudHost() {
+    return this.requireTinyCloudHosts()[0];
+  }
   get nodeFeatures() {
     return this._nodeFeatures;
   }
@@ -517,7 +547,7 @@ var NodeUserAuthorization = class {
     if (!this._tinyCloudSession || !this._address || !this._chainId) {
       throw new Error("Must be signed in to host space");
     }
-    const host = this.tinycloudHosts[0];
+    const host = this.primaryTinyCloudHost;
     const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;
     const peerId = await (0, import_sdk_core2.fetchPeerId)(host, spaceId);
     const siwe = this.wasm.generateHostSIWEMessage({
@@ -559,7 +589,7 @@ var NodeUserAuthorization = class {
     if (!this._tinyCloudSession) {
       throw new Error("Must be signed in to ensure space exists");
     }
-    const host = this.tinycloudHosts[0];
+    const host = this.primaryTinyCloudHost;
     const primarySpaceId = this._tinyCloudSession.spaceId;
     const result = await (0, import_sdk_core2.activateSessionWithHost)(
       host,
@@ -668,6 +698,7 @@ var NodeUserAuthorization = class {
     this._chainId = await this.signer.getChainId();
     const address = this.wasm.ensureEip55(this._address);
     const chainId = this._chainId;
+    await this.resolveTinyCloudHostsForSignIn(address, chainId);
     const keyId = `session-${Date.now()}`;
     this.sessionManager.renameSessionKeyId("default", keyId);
     const jwkString = this.sessionManager.jwk(keyId);
@@ -746,7 +777,7 @@ var NodeUserAuthorization = class {
     this._address = address;
     this._chainId = chainId;
     const nodeInfo = await (0, import_sdk_core2.checkNodeInfo)(
-      this.tinycloudHosts[0],
+      this.primaryTinyCloudHost,
       this.wasm.protocolVersion()
     );
     this._nodeFeatures = nodeInfo.features;
@@ -862,6 +893,7 @@ var NodeUserAuthorization = class {
     });
     const address = this.wasm.ensureEip55(await this.signer.getAddress());
     const chainId = await this.signer.getChainId();
+    await this.resolveTinyCloudHostsForSignIn(address, chainId);
     const clientSession = {
       address,
       walletAddress: address,
@@ -911,7 +943,7 @@ var NodeUserAuthorization = class {
     this._address = address;
     this._chainId = chainId;
     const nodeInfo = await (0, import_sdk_core2.checkNodeInfo)(
-      this.tinycloudHosts[0],
+      this.primaryTinyCloudHost,
       this.wasm.protocolVersion()
     );
     this._nodeFeatures = nodeInfo.features;
@@ -994,7 +1026,7 @@ var NodeUserAuthorization = class {
 };
 // src/TinyCloudNode.ts
-var import_sdk_core5 = require("@tinycloud/sdk-core");
+var import_sdk_core6 = require("@tinycloud/sdk-core");
 // src/DelegatedAccess.ts
 var import_sdk_core3 = require("@tinycloud/sdk-core");
@@ -1072,6 +1104,24 @@ var DelegatedAccess = class {
   get hooks() {
     return this._hooks;
   }
+  /**
+   * Export the handles needed to rehydrate this activated delegation via
+   * `TinyCloudNode.restoreSession(...)` in another process or after a
+   * restart.
+   *
+   * See `RestorableSession` for lifetime caveats.
+   */
+  get restorable() {
+    return {
+      delegationHeader: this.session.delegationHeader,
+      delegationCid: this.session.delegationCid,
+      spaceId: this.session.spaceId,
+      jwk: this.session.jwk,
+      verificationMethod: this.session.verificationMethod,
+      address: this.session.address,
+      chainId: this.session.chainId
+    };
+  }
 };
 // src/keys/WasmKeyProvider.ts
@@ -1209,6 +1259,148 @@ function extractSiweExpiration(siwe) {
   return d;
 }
+// src/NodeSecretsService.ts
+var import_sdk_core5 = require("@tinycloud/sdk-core");
+var SECRETS_SPACE = "secrets";
+function ok() {
+  return { ok: true, data: void 0 };
+}
+function secretsError(code, message, cause) {
+  return {
+    ok: false,
+    error: {
+      code,
+      service: "secrets",
+      message,
+      ...cause ? { cause } : {}
+    }
+  };
+}
+function displayActionUrn(action) {
+  return action === "put" ? "tinycloud.vault/write" : "tinycloud.vault/delete";
+}
+function kvActionUrn(action) {
+  return `tinycloud.kv/${action}`;
+}
+function vaultMutationAction(action) {
+  return action === "put" ? "write" : "delete";
+}
+function secretPermissionEntries(name, options, action) {
+  const secretPath = (0, import_sdk_core5.resolveSecretPath)(name, options);
+  return [
+    {
+      service: "tinycloud.vault",
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: [vaultMutationAction(action)],
+      skipPrefix: true
+    }
+  ];
+}
+function isSecretsSpace(space) {
+  return space === SECRETS_SPACE || space.endsWith(`:${SECRETS_SPACE}`);
+}
+var NodeSecretsService = class {
+  constructor(config) {
+    this.config = config;
+    this.shouldRestoreUnlock = false;
+  }
+  get vault() {
+    return this.service.vault;
+  }
+  get isUnlocked() {
+    return this.service.isUnlocked;
+  }
+  async unlock(signer) {
+    const effectiveSigner = signer ?? this.config.getUnlockSigner?.();
+    if (effectiveSigner !== void 0) {
+      this.unlockSigner = effectiveSigner;
+    }
+    const result = await this.service.unlock(effectiveSigner);
+    if (result.ok) {
+      this.shouldRestoreUnlock = true;
+    }
+    return result;
+  }
+  lock() {
+    this.shouldRestoreUnlock = false;
+    this.service.lock();
+  }
+  get(name, options) {
+    return options === void 0 ? this.service.get(name) : this.service.get(name, options);
+  }
+  async put(name, value, options) {
+    const permission = await this.ensureMutationPermission(name, options, "put");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.put(name, value) : this.service.put(name, value, options);
+  }
+  async delete(name, options) {
+    const permission = await this.ensureMutationPermission(name, options, "del");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.delete(name) : this.service.delete(name, options);
+  }
+  list(options) {
+    return options === void 0 ? this.service.list() : this.service.list(options);
+  }
+  get service() {
+    return this.config.getService();
+  }
+  async ensureMutationPermission(name, options, action) {
+    let permissionEntries;
+    try {
+      permissionEntries = secretPermissionEntries(name, options, action);
+    } catch (error) {
+      return secretsError(
+        import_sdk_core5.ErrorCodes.INVALID_INPUT,
+        error instanceof Error ? error.message : String(error),
+        error instanceof Error ? error : void 0
+      );
+    }
+    if (this.hasMutationPermission(name, options, action)) {
+      return ok();
+    }
+    if (!this.config.canEscalate()) {
+      return secretsError(
+        import_sdk_core5.ErrorCodes.PERMISSION_DENIED,
+        `Cannot autosign ${displayActionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
+      );
+    }
+    try {
+      await this.config.grantPermissions(permissionEntries);
+      return this.restoreUnlockAfterEscalation();
+    } catch (error) {
+      return secretsError(
+        import_sdk_core5.ErrorCodes.PERMISSION_DENIED,
+        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${name} failed.`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  async restoreUnlockAfterEscalation() {
+    if (!this.shouldRestoreUnlock) {
+      return ok();
+    }
+    return this.service.unlock(this.unlockSigner);
+  }
+  hasMutationPermission(name, options, action) {
+    const manifest = this.config.getManifest();
+    if (manifest === void 0) {
+      return false;
+    }
+    const manifests = Array.isArray(manifest) ? manifest : [manifest];
+    const requiredAction = kvActionUrn(action);
+    const secretPath = (0, import_sdk_core5.resolveSecretPath)(name, options);
+    return manifests.some((entry) => {
+      const resolved = (0, import_sdk_core5.resolveManifest)(entry);
+      return ["keys", "vault"].every(
+        (base) => resolved.resources.some(
+          (resource) => resource.service === "tinycloud.kv" && isSecretsSpace(resource.space) && resource.path === secretPath.permissionPaths[base] && resource.actions.includes(requiredAction)
+        )
+      );
+    });
+  }
+};
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
 var _TinyCloudNode = class _TinyCloudNode {
@@ -1240,6 +1432,31 @@ var _TinyCloudNode = class _TinyCloudNode {
     this.auth = null;
     this.tc = null;
     this._chainId = 1;
+    this.runtimePermissionGrants = [];
+    this.invokeWithRuntimePermissions = (session, service, path, action, facts) => {
+      return this.wasmBindings.invoke(
+        this.selectInvocationSession(session, service, path, action),
+        service,
+        path,
+        action,
+        facts
+      );
+    };
+    this.invokeAnyWithRuntimePermissions = (session, entries, facts) => {
+      if (!this.wasmBindings.invokeAny) {
+        throw new Error("WASM binding does not support invokeAny");
+      }
+      const grant = this.findGrantForOperations(
+        entries.map((entry) => ({
+          spaceId: entry.spaceId,
+          service: this.invocationServiceName(entry.service),
+          path: entry.path,
+          action: entry.action
+        }))
+      );
+      return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);
+    };
+    this.explicitHost = config.host;
     this.config = {
       ...config,
       host: config.host ?? DEFAULT_HOST
@@ -1266,23 +1483,23 @@ var _TinyCloudNode = class _TinyCloudNode {
       throw new Error("Failed to get session key JWK");
     }
     this.sessionKeyJwk = JSON.parse(jwkStr);
-    this._capabilityRegistry = new import_sdk_core5.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core6.CapabilityKeyRegistry();
     this._keyProvider = new WasmKeyProvider({
       sessionManager: this.sessionManager
     });
-    this.notificationHandler = config.notificationHandler ?? new import_sdk_core5.SilentNotificationHandler();
-    this._sharingService = new import_sdk_core5.SharingService({
+    this.notificationHandler = config.notificationHandler ?? new import_sdk_core6.SilentNotificationHandler();
+    this._sharingService = new import_sdk_core6.SharingService({
       hosts: [this.config.host],
       // session: undefined - not needed for receive()
-      invoke: this.wasmBindings.invoke,
+      invoke: this.invokeWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       keyProvider: this._keyProvider,
       registry: this._capabilityRegistry,
       // delegationManager: undefined - not needed for receive()
       createKVService: (config2) => {
         const prefix = config2.pathPrefix?.replace(/\/$/, "");
-        const kvService = new import_sdk_core5.KVService({ prefix });
-        const kvContext = new import_sdk_core5.ServiceContext({
+        const kvService = new import_sdk_core6.KVService({ prefix });
+        const kvContext = new import_sdk_core6.ServiceContext({
           invoke: config2.invoke,
           fetch: config2.fetch ?? globalThis.fetch.bind(globalThis),
           hosts: config2.hosts
@@ -1321,7 +1538,6 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   setupAuth(config) {
-    const host = this.config.host;
     this.auth = new NodeUserAuthorization({
       signer: this.signer,
       signStrategy: { type: "auto-sign" },
@@ -1330,7 +1546,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: this.siweDomain,
       spacePrefix: config.prefix,
       sessionExpirationMs: config.sessionExpirationMs ?? 60 * 60 * 1e3,
-      tinycloudHosts: [host],
+      tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
+      tinycloudRegistryUrl: config.tinycloudRegistryUrl,
+      tinycloudFallbackHosts: config.tinycloudFallbackHosts,
       autoCreateSpace: config.autoCreateSpace,
       enablePublicSpace: config.enablePublicSpace ?? true,
       spaceCreationHandler: config.spaceCreationHandler,
@@ -1340,10 +1558,16 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRequest: config.capabilityRequest,
       includeAccountRegistryPermissions: config.includeAccountRegistryPermissions
     });
-    this.tc = new import_sdk_core5.TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+    this.tc = new import_sdk_core6.TinyCloud(this.auth, {
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
   }
+  syncResolvedHostFromAuth() {
+    const host = this.auth?.hosts[0];
+    if (host) {
+      this.config.host = host;
+    }
+  }
   /**
    * Install or replace the manifest that drives the SIWE recap at
    * sign-in. Takes effect on the next `signIn()` call — the current
@@ -1381,6 +1605,10 @@ var _TinyCloudNode = class _TinyCloudNode {
   get capabilityRequest() {
     return this.auth?.capabilityRequest;
   }
+  get hosts() {
+    const authHosts = this.auth?.hosts ?? [];
+    return authHosts.length > 0 ? authHosts : [this.config.host];
+  }
   /**
    * Get the primary identity DID for this user.
    * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})
@@ -1451,8 +1679,14 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sql = void 0;
     this._duckdb = void 0;
     this._hooks = void 0;
+    this._vault = void 0;
+    this._baseSecrets = void 0;
+    this._secrets = void 0;
+    this._spaceService = void 0;
     this._serviceContext = void 0;
+    this.runtimePermissionGrants = [];
     await this.tc.signIn(options);
+    this.syncResolvedHostFromAuth();
     this.initializeServices();
     await this.writeManifestRegistryRecords();
     this.notificationHandler.success("Successfully signed in");
@@ -1471,8 +1705,8 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this.auth || !this.signer) {
       throw new Error("Manifest registry write requires wallet mode");
     }
-    const accountSpaceId = this.ownedSpaceId(import_sdk_core5.ACCOUNT_REGISTRY_SPACE);
-    await this.auth.hostOwnedSpace(accountSpaceId);
+    const accountSpaceId = this.ownedSpaceId(import_sdk_core6.ACCOUNT_REGISTRY_SPACE);
+    await this.ensureOwnedSpaceHosted(accountSpaceId);
     const accountKV = this.spaces.get(accountSpaceId).kv;
     for (const record of request.registryRecords) {
       const result = await accountKV.put(record.key, {
@@ -1487,6 +1721,39 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
     }
   }
+  async ensureOwnedSpaceHosted(spaceId) {
+    if (!this.auth) {
+      throw new Error("Owned space hosting requires wallet mode");
+    }
+    const session = this.auth.tinyCloudSession;
+    if (!session) {
+      throw new Error("Owned space hosting requires an active session");
+    }
+    const host = this.hosts[0] ?? this.config.host;
+    if (!host) {
+      throw new Error("Owned space hosting requires a TinyCloud host");
+    }
+    const activation = await (0, import_sdk_core6.activateSessionWithHost)(host, session.delegationHeader);
+    if (activation.success && !activation.skipped?.includes(spaceId)) {
+      return;
+    }
+    if (!activation.success && activation.status !== 404) {
+      throw new Error(
+        `Failed to check owned space ${spaceId}: ${activation.error ?? activation.status}`
+      );
+    }
+    const created = await this.auth.hostOwnedSpace(spaceId);
+    if (!created) {
+      throw new Error(`Failed to create owned space: ${spaceId}`);
+    }
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    const retry = await (0, import_sdk_core6.activateSessionWithHost)(host, session.delegationHeader);
+    if (!retry.success || retry.skipped?.includes(spaceId)) {
+      throw new Error(
+        `Failed to activate session after creating owned space ${spaceId}: ${retry.error ?? "space was skipped"}`
+      );
+    }
+  }
   /**
    * Restore a previously established session from stored delegation data.
    *
@@ -1502,29 +1769,34 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sql = void 0;
     this._duckdb = void 0;
     this._hooks = void 0;
+    this._vault = void 0;
+    this._baseSecrets = void 0;
+    this._secrets = void 0;
+    this._spaceService = void 0;
     this._serviceContext = void 0;
+    this.runtimePermissionGrants = [];
     if (sessionData.address) {
       this._address = sessionData.address;
     }
     if (sessionData.chainId) {
       this._chainId = sessionData.chainId;
     }
-    this._serviceContext = new import_sdk_core5.ServiceContext({
-      invoke: this.wasmBindings.invoke,
-      invokeAny: this.wasmBindings.invokeAny,
+    this._serviceContext = new import_sdk_core6.ServiceContext({
+      invoke: this.invokeWithRuntimePermissions,
+      invokeAny: this.invokeAnyWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core5.KVService({});
+    this._kv = new import_sdk_core6.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
-    this._sql = new import_sdk_core5.SQLService({});
+    this._sql = new import_sdk_core6.SQLService({});
     this._sql.initialize(this._serviceContext);
     this._serviceContext.registerService("sql", this._sql);
-    this._duckdb = new import_sdk_core5.DuckDbService({});
+    this._duckdb = new import_sdk_core6.DuckDbService({});
     this._duckdb.initialize(this._serviceContext);
     this._serviceContext.registerService("duckdb", this._duckdb);
-    this._hooks = new import_sdk_core5.HooksService({});
+    this._hooks = new import_sdk_core6.HooksService({});
     this._hooks.initialize(this._serviceContext);
     this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
@@ -1535,41 +1807,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       jwk: sessionData.jwk
     };
     this._serviceContext.setSession(serviceSession);
-    const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core5.createVaultCrypto)({
-      vault_encrypt: wasm.vault_encrypt,
-      vault_decrypt: wasm.vault_decrypt,
-      vault_derive_key: wasm.vault_derive_key,
-      vault_x25519_from_seed: wasm.vault_x25519_from_seed,
-      vault_x25519_dh: wasm.vault_x25519_dh,
-      vault_random_bytes: wasm.vault_random_bytes,
-      vault_sha256: wasm.vault_sha256
-    });
-    const self = this;
-    this._vault = new import_sdk_core5.DataVaultService({
-      spaceId: sessionData.spaceId,
-      crypto: vaultCrypto,
-      tc: {
-        kv: this._kv,
-        ensurePublicSpace: async () => {
-          try {
-            await self.ensurePublicSpace();
-            return { ok: true, data: void 0 };
-          } catch (error) {
-            return { ok: false, error: { code: "STORAGE_ERROR", message: error instanceof Error ? error.message : String(error), service: "vault" } };
-          }
-        },
-        get publicKV() {
-          return self._publicKV ?? self.tc.publicKV;
-        },
-        readPublicSpace: (host, spaceId, key) => import_sdk_core5.TinyCloud.readPublicSpace(host, spaceId, key),
-        makePublicSpaceId: import_sdk_core5.TinyCloud.makePublicSpaceId,
-        did: this.did,
-        address: sessionData.address ?? this._address ?? "",
-        chainId: sessionData.chainId ?? this._chainId,
-        hosts: [this.config.host]
-      }
-    });
+    this._vault = this.createVaultService(sessionData.spaceId, this._kv);
     this._vault.initialize(this._serviceContext);
     this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
@@ -1604,7 +1842,6 @@ var _TinyCloudNode = class _TinyCloudNode {
       throw new Error("Wallet already connected. Cannot connect another wallet.");
     }
     const prefix = options?.prefix ?? "default";
-    const host = this.config.host;
     if (!_TinyCloudNode.nodeDefaults) {
       throw new Error(
         "connectWallet() requires PrivateKeySigner. Use connectSigner() instead, or import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults."
@@ -1619,7 +1856,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: this.siweDomain,
       spacePrefix: prefix,
       sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
-      tinycloudHosts: [host],
+      tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
+      tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
+      tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
       autoCreateSpace: this.config.autoCreateSpace,
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
@@ -1629,8 +1868,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRequest: this.config.capabilityRequest,
       includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
-    this.tc = new import_sdk_core5.TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+    this.tc = new import_sdk_core6.TinyCloud(this.auth, {
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
     this.config.prefix = prefix;
   }
@@ -1652,7 +1891,6 @@ var _TinyCloudNode = class _TinyCloudNode {
       throw new Error("Signer already connected. Cannot connect another signer.");
     }
     const prefix = options?.prefix ?? "default";
-    const host = this.config.host;
     this.signer = signer;
     this.auth = new NodeUserAuthorization({
       signer: this.signer,
@@ -1662,7 +1900,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: this.siweDomain,
       spacePrefix: prefix,
       sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
-      tinycloudHosts: [host],
+      tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
+      tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
+      tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
       autoCreateSpace: this.config.autoCreateSpace,
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
@@ -1672,8 +1912,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRequest: this.config.capabilityRequest,
       includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
-    this.tc = new import_sdk_core5.TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+    this.tc = new import_sdk_core6.TinyCloud(this.auth, {
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
     this.config.prefix = prefix;
   }
@@ -1686,28 +1926,28 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!session) {
       return;
     }
-    this.tc.initializeServices(this.wasmBindings.invoke, [this.config.host]);
-    this._serviceContext = new import_sdk_core5.ServiceContext({
-      invoke: this.wasmBindings.invoke,
-      invokeAny: this.wasmBindings.invokeAny,
+    this.tc.initializeServices(this.invokeWithRuntimePermissions, [this.config.host]);
+    this._serviceContext = new import_sdk_core6.ServiceContext({
+      invoke: this.invokeWithRuntimePermissions,
+      invokeAny: this.invokeAnyWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core5.KVService({});
+    this._kv = new import_sdk_core6.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
     const features = this.nodeFeatures;
     if (features.length === 0 || features.includes("sql")) {
-      this._sql = new import_sdk_core5.SQLService({});
+      this._sql = new import_sdk_core6.SQLService({});
       this._sql.initialize(this._serviceContext);
       this._serviceContext.registerService("sql", this._sql);
     }
     if (features.length === 0 || features.includes("duckdb")) {
-      this._duckdb = new import_sdk_core5.DuckDbService({});
+      this._duckdb = new import_sdk_core6.DuckDbService({});
       this._duckdb.initialize(this._serviceContext);
       this._serviceContext.registerService("duckdb", this._duckdb);
     }
-    this._hooks = new import_sdk_core5.HooksService({});
+    this._hooks = new import_sdk_core6.HooksService({});
     this._hooks.initialize(this._serviceContext);
     this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
@@ -1719,8 +1959,30 @@ var _TinyCloudNode = class _TinyCloudNode {
     };
     this._serviceContext.setSession(serviceSession);
     this.tc.serviceContext.setSession(serviceSession);
+    this._vault = this.createVaultService(session.spaceId, this._kv);
+    this._vault.initialize(this._serviceContext);
+    this._serviceContext.registerService("vault", this._vault);
+    this.initializeV2Services(serviceSession);
+  }
+  createSpaceScopedKVService(spaceId) {
+    const kvService = new import_sdk_core6.KVService({});
+    if (this._serviceContext) {
+      const spaceScopedContext = new import_sdk_core6.ServiceContext({
+        invoke: this._serviceContext.invoke,
+        fetch: this._serviceContext.fetch,
+        hosts: this._serviceContext.hosts
+      });
+      const session = this._serviceContext.session;
+      if (session) {
+        spaceScopedContext.setSession({ ...session, spaceId });
+      }
+      kvService.initialize(spaceScopedContext);
+    }
+    return kvService;
+  }
+  createVaultService(spaceId, kv) {
     const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core5.createVaultCrypto)({
+    const vaultCrypto = (0, import_sdk_core6.createVaultCrypto)({
       vault_encrypt: wasm.vault_encrypt,
       vault_decrypt: wasm.vault_decrypt,
       vault_derive_key: wasm.vault_derive_key,
@@ -1730,11 +1992,11 @@ var _TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self = this;
-    this._vault = new import_sdk_core5.DataVaultService({
-      spaceId: session.spaceId,
+    return new import_sdk_core6.DataVaultService({
+      spaceId,
       crypto: vaultCrypto,
       tc: {
-        kv: this._kv,
+        kv,
         ensurePublicSpace: async () => {
           try {
             await self.ensurePublicSpace();
@@ -1746,24 +2008,21 @@ var _TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self._publicKV ?? self.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key) => import_sdk_core5.TinyCloud.readPublicSpace(host, spaceId, key),
-        makePublicSpaceId: import_sdk_core5.TinyCloud.makePublicSpaceId,
+        readPublicSpace: (host, targetSpaceId, key) => import_sdk_core6.TinyCloud.readPublicSpace(host, targetSpaceId, key),
+        makePublicSpaceId: import_sdk_core6.TinyCloud.makePublicSpaceId,
         did: this.did,
-        address: this._address,
+        address: this._address ?? "",
         chainId: this._chainId,
         hosts: [this.config.host]
       }
     });
-    this._vault.initialize(this._serviceContext);
-    this._serviceContext.registerService("vault", this._vault);
-    this.initializeV2Services(serviceSession);
   }
   /**
    * Initialize the v2 delegation system services.
    * @internal
    */
   initializeV2Services(serviceSession) {
-    this._capabilityRegistry = new import_sdk_core5.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core6.CapabilityKeyRegistry();
     const tcSession = this.auth?.tinyCloudSession;
     if (tcSession && this._address) {
       const sessionKey = {
@@ -1837,13 +2096,13 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
       this._capabilityRegistry.registerKey(sessionKey, delegations);
     }
-    this._delegationManager = new import_sdk_core5.DelegationManager({
+    this._delegationManager = new import_sdk_core6.DelegationManager({
       hosts: [this.config.host],
       session: serviceSession,
-      invoke: this.wasmBindings.invoke,
+      invoke: this.invokeWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis)
     });
-    this._spaceService = new import_sdk_core5.SpaceService({
+    this._spaceService = new import_sdk_core6.SpaceService({
       hosts: [this.config.host],
       session: serviceSession,
       invoke: this.wasmBindings.invoke,
@@ -1851,20 +2110,15 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRegistry: this._capabilityRegistry,
       userDid: this.did,
       createKVService: (spaceId) => {
-        const kvService = new import_sdk_core5.KVService({});
+        return this.createSpaceScopedKVService(spaceId);
+      },
+      createVaultService: (spaceId) => {
+        const kvService = this.createSpaceScopedKVService(spaceId);
+        const vaultService = this.createVaultService(spaceId, kvService);
         if (this._serviceContext) {
-          const spaceScopedContext = new import_sdk_core5.ServiceContext({
-            invoke: this._serviceContext.invoke,
-            fetch: this._serviceContext.fetch,
-            hosts: this._serviceContext.hosts
-          });
-          const session = this._serviceContext.session;
-          if (session) {
-            spaceScopedContext.setSession({ ...session, spaceId });
-          }
-          kvService.initialize(spaceScopedContext);
+          vaultService.initialize(this._serviceContext);
         }
-        return kvService;
+        return vaultService;
       },
       // Enable space.delegations.create() via SIWE-based delegation
       createDelegation: async (params) => {
@@ -2005,7 +2259,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         ...prepared,
         signature
       });
-      const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+      const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
         host,
         delegationSession.delegationHeader
       );
@@ -2072,7 +2326,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this._sql) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("sql")) {
-        throw new import_sdk_core5.UnsupportedFeatureError("sql", this.config.host, features);
+        throw new import_sdk_core6.UnsupportedFeatureError("sql", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -2085,7 +2339,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this._duckdb) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("duckdb")) {
-        throw new import_sdk_core5.UnsupportedFeatureError("duckdb", this.config.host, features);
+        throw new import_sdk_core6.UnsupportedFeatureError("duckdb", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -2101,6 +2355,33 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._vault;
   }
+  /**
+   * App-facing secrets API backed by the `secrets` space vault.
+   */
+  get secrets() {
+    if (!this._spaceService) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._secrets) {
+      this._secrets = new NodeSecretsService({
+        getService: () => this.getBaseSecrets(),
+        getManifest: () => this.manifest,
+        grantPermissions: (additional) => this.grantRuntimePermissions(additional),
+        canEscalate: () => this.signer !== void 0 && this.tc !== void 0,
+        getUnlockSigner: () => this.signer ?? void 0
+      });
+    }
+    return this._secrets;
+  }
+  getBaseSecrets() {
+    if (!this._spaceService) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._baseSecrets) {
+      this._baseSecrets = new import_sdk_core6.SecretsService(() => this.space("secrets").vault);
+    }
+    return this._baseSecrets;
+  }
   /**
    * Hooks write stream subscription API.
    */
@@ -2171,6 +2452,171 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
     };
   }
+  /**
+   * Check whether the current session or an approved runtime delegation covers
+   * every requested permission.
+   */
+  hasRuntimePermissions(permissions) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session || !Array.isArray(permissions) || permissions.length === 0) {
+      return false;
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    if (this.sessionCoversPermissionEntries(session, expanded)) {
+      return true;
+    }
+    return this.findRuntimeGrantsForPermissionEntries(expanded, session).length > 0;
+  }
+  /**
+   * Return installed runtime permission delegations. When `permissions` is
+   * provided, only delegations currently covering those permissions are
+   * returned. Base-session manifest permissions are not represented here.
+   */
+  getRuntimePermissionDelegations(permissions) {
+    this.pruneExpiredRuntimePermissionGrants();
+    if (permissions === void 0) {
+      return this.runtimePermissionGrants.map((grant) => grant.delegation);
+    }
+    const session = this.auth?.tinyCloudSession;
+    if (!session || !Array.isArray(permissions) || permissions.length === 0) {
+      return [];
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    return this.findRuntimeGrantsForPermissionEntries(expanded, session).map(
+      (grant) => grant.delegation
+    );
+  }
+  /**
+   * Install a portable runtime permission delegation into this SDK instance so
+   * matching service calls and downstream `delegateTo()` calls can use it.
+   */
+  async useRuntimeDelegation(delegation) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new import_sdk_core6.SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    if (delegation.expiry.getTime() <= Date.now()) {
+      throw new import_sdk_core6.SessionExpiredError(delegation.expiry);
+    }
+    const expectedDids = /* @__PURE__ */ new Set([session.verificationMethod, this.sessionDid]);
+    if (!expectedDids.has(delegation.delegateDID)) {
+      throw new Error(
+        `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
+      );
+    }
+    const targetHost = delegation.host ?? this.config.host;
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
+      targetHost,
+      delegation.delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(
+        `Failed to activate runtime permission delegation: ${activateResult.error}`
+      );
+    }
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.delegation.cid !== delegation.cid
+    );
+    this.runtimePermissionGrants.push(
+      this.runtimeGrantFromDelegation(delegation, session)
+    );
+  }
+  /**
+   * Store additional permissions as narrow delegations to the current session
+   * key. Future service invocations automatically use a stored delegation when
+   * its `(space, service, path, action)` covers the request.
+   */
+  async grantRuntimePermissions(permissions, options) {
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      throw new Error("grantRuntimePermissions requires a non-empty permissions array");
+    }
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new import_sdk_core6.SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    const sessionExpiry = extractSiweExpiration(session.siwe);
+    if (sessionExpiry !== void 0) {
+      const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+      if (sessionExpiry.getTime() <= Date.now() + marginMs) {
+        throw new import_sdk_core6.SessionExpiredError(sessionExpiry);
+      }
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    if (this.sessionCoversPermissionEntries(session, expanded)) {
+      return [];
+    }
+    const existingGrants = this.findRuntimeGrantsForPermissionEntries(expanded, session);
+    if (existingGrants.length > 0) {
+      return existingGrants.map((grant) => grant.delegation);
+    }
+    if (!this.signer) {
+      throw new Error(
+        "grantRuntimePermissions requires wallet mode with a signer or privateKey."
+      );
+    }
+    const bySpace = /* @__PURE__ */ new Map();
+    for (const entry of expanded) {
+      const spaceId = this.resolvePermissionSpace(entry.space, session);
+      const current = bySpace.get(spaceId) ?? [];
+      current.push(entry);
+      bySpace.set(spaceId, current);
+    }
+    const now = /* @__PURE__ */ new Date();
+    const requestedExpiryMs = resolveExpiryMs(options?.expiry);
+    let expiresAt = new Date(now.getTime() + requestedExpiryMs);
+    if (sessionExpiry !== void 0 && sessionExpiry < expiresAt) {
+      expiresAt = sessionExpiry;
+    }
+    const delegations = [];
+    for (const [spaceId, entries] of bySpace) {
+      const abilities = this.permissionsToAbilities(entries);
+      const prepared = this.wasmBindings.prepareSession({
+        abilities,
+        address: this.wasmBindings.ensureEip55(session.address),
+        chainId: session.chainId,
+        domain: this.siweDomain,
+        issuedAt: now.toISOString(),
+        expirationTime: expiresAt.toISOString(),
+        spaceId,
+        jwk: session.jwk
+      });
+      const signature = await this.signer.signMessage(prepared.siwe);
+      const delegatedSession = this.wasmBindings.completeSessionSetup({
+        ...prepared,
+        signature
+      });
+      const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
+        this.config.host,
+        delegatedSession.delegationHeader
+      );
+      if (!activateResult.success) {
+        throw new Error(
+          `Failed to activate runtime permission delegation: ${activateResult.error}`
+        );
+      }
+      const delegation = this.runtimeDelegationFromSession(
+        delegatedSession,
+        entries,
+        spaceId,
+        session,
+        expiresAt
+      );
+      this.runtimePermissionGrants.push({
+        session: {
+          delegationHeader: delegatedSession.delegationHeader,
+          delegationCid: delegatedSession.delegationCid,
+          spaceId,
+          verificationMethod: session.verificationMethod,
+          jwk: session.jwk
+        },
+        delegation,
+        operations: this.permissionOperations(entries, spaceId),
+        expiresAt
+      });
+      delegations.push(delegation);
+    }
+    return delegations;
+  }
   /**
    * Get the DelegationManager for delegation CRUD operations.
    *
@@ -2239,6 +2685,12 @@ var _TinyCloudNode = class _TinyCloudNode {
   get spaceService() {
     return this.spaces;
   }
+  /**
+   * Get a Space object by short name or full URI.
+   */
+  space(nameOrUri) {
+    return this.spaces.get(nameOrUri);
+  }
   /**
    * Get the SharingService for creating and receiving v2 sharing links.
    *
@@ -2324,7 +2776,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature
     });
-    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -2351,9 +2803,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       }]);
     }
     if (this._serviceContext) {
-      const publicKV = new import_sdk_core5.KVService({ prefix: "" });
-      const publicContext = new import_sdk_core5.ServiceContext({
-        invoke: this.wasmBindings.invoke,
+      const publicKV = new import_sdk_core6.KVService({ prefix: "" });
+      const publicContext = new import_sdk_core6.ServiceContext({
+        invoke: this.invokeWithRuntimePermissions,
         fetch: this._serviceContext.fetch,
         hosts: this._serviceContext.hosts
       });
@@ -2441,8 +2893,9 @@ var _TinyCloudNode = class _TinyCloudNode {
    * Issue a delegation using the capability-chain flow.
    *
    * When every requested permission is a subset of the current
-   * session's recap, the delegation is signed by the session key via
-   * WASM — no wallet prompt. When at least one is NOT derivable, a
+   * session's recap, or of one installed runtime permission delegation,
+   * the delegation is signed by the session key via WASM — no wallet
+   * prompt. When at least one is NOT derivable, a
    * {@link PermissionNotInManifestError} is raised (carrying the
    * missing entries) so the caller can trigger an escalation flow
    * (e.g. `TinyCloudWeb.requestPermissions`). Passing
@@ -2477,14 +2930,14 @@ var _TinyCloudNode = class _TinyCloudNode {
   async delegateTo(did, permissions, options) {
     const session = this.auth?.tinyCloudSession;
     if (!session) {
-      throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
+      throw new import_sdk_core6.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
     const sessionExpiry = extractSiweExpiration(session.siwe);
     if (sessionExpiry !== void 0) {
       const now2 = Date.now();
       const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
       if (sessionExpiry.getTime() <= now2 + marginMs) {
-        throw new import_sdk_core5.SessionExpiredError(sessionExpiry);
+        throw new import_sdk_core6.SessionExpiredError(sessionExpiry);
       }
     }
     if (!Array.isArray(permissions) || permissions.length === 0) {
@@ -2492,10 +2945,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         "delegateTo requires a non-empty permissions array"
       );
     }
-    const expandedEntries = permissions.map((entry) => ({
-      ...entry,
-      actions: (0, import_sdk_core5.expandActionShortNames)(entry.service, entry.actions)
-    }));
+    const expandedEntries = this.expandPermissionEntries(permissions);
     const now = /* @__PURE__ */ new Date();
     const expiryMs = resolveExpiryMs(options?.expiry);
     const expirationTime = new Date(now.getTime() + expiryMs);
@@ -2516,13 +2966,30 @@ var _TinyCloudNode = class _TinyCloudNode {
       );
       return { delegation: delegation2, prompted: true };
     }
-    const granted = (0, import_sdk_core5.parseRecapCapabilities)(
+    const granted = (0, import_sdk_core6.parseRecapCapabilities)(
       (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
       session.siwe
     );
-    const { subset, missing } = (0, import_sdk_core5.isCapabilitySubset)(expandedEntries, granted);
+    const { subset, missing } = (0, import_sdk_core6.isCapabilitySubset)(expandedEntries, granted);
     if (!subset) {
-      throw new import_sdk_core5.PermissionNotInManifestError(missing, granted);
+      const runtimeGrant = this.findGrantForOperations(
+        this.permissionEntriesToOperations(expandedEntries, session)
+      );
+      if (runtimeGrant) {
+        const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+        if (runtimeGrant.expiresAt.getTime() <= Date.now() + marginMs) {
+          throw new import_sdk_core6.SessionExpiredError(runtimeGrant.expiresAt);
+        }
+        const runtimeExpiration = runtimeGrant.expiresAt < effectiveExpiration ? runtimeGrant.expiresAt : effectiveExpiration;
+        const delegation2 = await this.createDelegationViaRuntimeGrant(
+          did,
+          expandedEntries,
+          runtimeExpiration,
+          runtimeGrant
+        );
+        return { delegation: delegation2, prompted: false };
+      }
+      throw new import_sdk_core6.PermissionNotInManifestError(missing, granted);
     }
     const delegation = await this.createDelegationViaWasmPath(
       did,
@@ -2602,7 +3069,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     const spaceId = [...resolvedSpaces][0];
     const abilities = {};
     for (const entry of entries) {
-      const shortService = import_sdk_core5.SERVICE_LONG_TO_SHORT[entry.service];
+      const shortService = import_sdk_core6.SERVICE_LONG_TO_SHORT[entry.service];
       if (shortService === void 0) {
         throw new Error(
           `delegateTo: unknown service '${entry.service}' \u2014 no short-form mapping`
@@ -2642,7 +3109,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     });
     const primary = result.resources[0];
     const delegationHeader = { Authorization: result.delegation };
-    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
       this.config.host,
       delegationHeader
     );
@@ -2666,6 +3133,41 @@ var _TinyCloudNode = class _TinyCloudNode {
       host: this.config.host
     };
   }
+  async createDelegationViaRuntimeGrant(did, entries, expirationTime, grant) {
+    const result = this.createDelegationWrapper({
+      session: grant.session,
+      delegateDID: did,
+      spaceId: grant.session.spaceId,
+      abilities: this.permissionsToAbilities(entries),
+      expirationSecs: Math.floor(expirationTime.getTime() / 1e3)
+    });
+    const primary = result.resources[0];
+    const delegationHeader = { Authorization: result.delegation };
+    const targetHost = grant.delegation.host ?? this.config.host;
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
+      targetHost,
+      delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(
+        `Failed to activate delegation with host: ${activateResult.error}`
+      );
+    }
+    return {
+      cid: result.cid,
+      delegationHeader,
+      spaceId: grant.session.spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources: result.resources,
+      disableSubDelegation: false,
+      expiry: result.expiry,
+      delegateDID: did,
+      ownerAddress: grant.delegation.ownerAddress,
+      chainId: grant.delegation.chainId,
+      host: targetHost
+    };
+  }
   resolvePermissionSpace(space, session) {
     if (space === void 0) {
       return this.wasmBindings.makeSpaceId(
@@ -2682,6 +3184,220 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);
   }
+  expandPermissionEntries(permissions) {
+    return (0, import_sdk_core6.expandPermissionEntries)(permissions);
+  }
+  shortServiceName(service) {
+    const short = import_sdk_core6.SERVICE_LONG_TO_SHORT[service];
+    if (short === void 0) {
+      throw new Error(
+        `unknown service '${service}' \u2014 no short-form mapping`
+      );
+    }
+    return short;
+  }
+  permissionsToAbilities(entries) {
+    const abilities = {};
+    for (const entry of entries) {
+      const service = this.shortServiceName(entry.service);
+      abilities[service] ?? (abilities[service] = {});
+      const existing = abilities[service][entry.path] ?? [];
+      const seen = new Set(existing);
+      for (const action of entry.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
+      abilities[service][entry.path] = existing;
+    }
+    return abilities;
+  }
+  permissionOperations(entries, spaceId) {
+    return entries.flatMap((entry) => {
+      const service = this.shortServiceName(entry.service);
+      return entry.actions.map((action) => ({
+        spaceId,
+        service,
+        path: entry.path,
+        action
+      }));
+    });
+  }
+  sessionCoversPermissionEntries(session, entries) {
+    try {
+      const granted = (0, import_sdk_core6.parseRecapCapabilities)(
+        (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
+        session.siwe
+      );
+      return (0, import_sdk_core6.isCapabilitySubset)(entries, granted).subset;
+    } catch {
+      return false;
+    }
+  }
+  permissionEntriesToOperations(entries, session) {
+    return entries.flatMap((entry) => {
+      const spaceId = this.resolvePermissionSpace(entry.space, session);
+      const service = this.shortServiceName(entry.service);
+      return entry.actions.map((action) => ({
+        spaceId,
+        service,
+        path: entry.path,
+        action
+      }));
+    });
+  }
+  findRuntimeGrantsForPermissionEntries(entries, session) {
+    const grants = [];
+    const operations = this.permissionEntriesToOperations(entries, session);
+    if (operations.length === 0) {
+      return grants;
+    }
+    for (const operation of operations) {
+      const grant = this.findGrantForOperation(operation);
+      if (!grant) {
+        return [];
+      }
+      if (!grants.includes(grant)) {
+        grants.push(grant);
+      }
+    }
+    return grants;
+  }
+  runtimeDelegationFromSession(delegatedSession, entries, spaceId, session, expiresAt) {
+    const resources = this.delegatedResourcesForEntries(entries, spaceId);
+    const primary = resources[0];
+    return {
+      cid: delegatedSession.delegationCid,
+      delegationHeader: delegatedSession.delegationHeader,
+      spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources,
+      disableSubDelegation: false,
+      expiry: expiresAt,
+      delegateDID: session.verificationMethod,
+      ownerAddress: session.address,
+      chainId: session.chainId,
+      host: this.config.host
+    };
+  }
+  runtimeGrantFromDelegation(delegation, session) {
+    const operations = this.operationsFromDelegation(delegation);
+    return {
+      session: {
+        delegationHeader: delegation.delegationHeader,
+        delegationCid: delegation.cid,
+        spaceId: delegation.spaceId,
+        verificationMethod: session.verificationMethod,
+        jwk: session.jwk
+      },
+      delegation,
+      operations,
+      expiresAt: delegation.expiry
+    };
+  }
+  delegatedResourcesForEntries(entries, spaceId) {
+    return entries.map((entry) => ({
+      service: this.shortServiceName(entry.service),
+      space: spaceId,
+      path: entry.path,
+      actions: [...entry.actions]
+    }));
+  }
+  operationsFromDelegation(delegation) {
+    const resources = delegation.resources !== void 0 && delegation.resources.length > 0 ? delegation.resources : this.flatDelegationResources(delegation);
+    return resources.flatMap(
+      (resource) => resource.actions.map((action) => ({
+        spaceId: resource.space,
+        service: this.invocationServiceName(resource.service),
+        path: resource.path,
+        action
+      }))
+    );
+  }
+  flatDelegationResources(delegation) {
+    const byService = /* @__PURE__ */ new Map();
+    for (const action of delegation.actions) {
+      const service = this.shortServiceName(action.split("/")[0]);
+      const actions = byService.get(service) ?? [];
+      actions.push(action);
+      byService.set(service, actions);
+    }
+    return [...byService.entries()].map(([service, actions]) => ({
+      service,
+      space: delegation.spaceId,
+      path: delegation.path,
+      actions
+    }));
+  }
+  selectInvocationSession(fallback, service, path, action) {
+    const grant = this.findGrantForOperation({
+      spaceId: fallback.spaceId,
+      service: this.invocationServiceName(service),
+      path,
+      action
+    });
+    return grant?.session ?? fallback;
+  }
+  findGrantForOperations(operations) {
+    if (operations.length === 0) {
+      return void 0;
+    }
+    this.pruneExpiredRuntimePermissionGrants();
+    return this.runtimePermissionGrants.find((grant) => {
+      return operations.every(
+        (operation) => grant.operations.some(
+          (granted) => this.operationCovers(granted, operation)
+        )
+      );
+    });
+  }
+  findGrantForOperation(operation) {
+    return this.findGrantForOperations([operation]);
+  }
+  pruneExpiredRuntimePermissionGrants() {
+    const now = Date.now();
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.expiresAt.getTime() > now
+    );
+  }
+  operationCovers(granted, requested) {
+    return granted.spaceId === requested.spaceId && granted.service === requested.service && this.actionContains(granted.action, requested.action) && this.pathContains(granted.path, requested.path);
+  }
+  actionContains(grantedAction, requestedAction) {
+    if (grantedAction === requestedAction) {
+      return true;
+    }
+    if (grantedAction.endsWith("/*")) {
+      const prefix = grantedAction.slice(0, -2);
+      return requestedAction.startsWith(`${prefix}/`);
+    }
+    return false;
+  }
+  invocationServiceName(service) {
+    return service.startsWith("tinycloud.") ? this.shortServiceName(service) : service;
+  }
+  pathContains(grantedPath, requestedPath) {
+    if (grantedPath === "" || grantedPath === "/") {
+      return true;
+    }
+    if (grantedPath.endsWith("/**")) {
+      return requestedPath.startsWith(grantedPath.slice(0, -3));
+    }
+    if (grantedPath.endsWith("/*")) {
+      const prefix = grantedPath.slice(0, -2);
+      if (!requestedPath.startsWith(prefix)) {
+        return false;
+      }
+      const remainder = requestedPath.slice(prefix.length);
+      return !remainder.includes("/") || remainder === "/";
+    }
+    if (grantedPath.endsWith("/")) {
+      return requestedPath.startsWith(grantedPath);
+    }
+    return grantedPath === requestedPath;
+  }
   /**
    * Issue a delegation via the legacy wallet-signed SIWE path for a single
    * {@link PermissionEntry}. Shares the implementation with the public
@@ -2738,7 +3454,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       );
       return result.delegation;
     } catch (err) {
-      if (err instanceof import_sdk_core5.PermissionNotInManifestError) {
+      if (err instanceof import_sdk_core6.PermissionNotInManifestError) {
       } else {
         throw err;
       }
@@ -2795,7 +3511,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature
     });
-    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -2817,7 +3533,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     };
     const hasKvActions = params.actions.some((a) => a.startsWith("tinycloud.kv/"));
     if (hasKvActions && params.includePublicSpace !== false) {
-      const publicSpaceId = (0, import_sdk_core5.makePublicSpaceId)(
+      const publicSpaceId = (0, import_sdk_core6.makePublicSpaceId)(
         this.wasmBindings.ensureEip55(session.address),
         session.chainId
       );
@@ -2840,7 +3556,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         ...publicPrepared,
         signature: publicSignature
       });
-      const publicActivateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+      const publicActivateResult = await (0, import_sdk_core6.activateSessionWithHost)(
         this.config.host,
         publicSession.delegationHeader
       );
@@ -2939,7 +3655,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature
     });
-    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
       targetHost,
       invokerSession.delegationHeader
     );
@@ -3028,7 +3744,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature
     });
-    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core6.activateSessionWithHost)(
       targetHost,
       subDelegationSession.delegationHeader
     );
@@ -3064,7 +3780,7 @@ _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS = 6e4;
 var TinyCloudNode = _TinyCloudNode;
 // src/core.ts
-var import_sdk_core8 = require("@tinycloud/sdk-core");
+var import_sdk_core9 = require("@tinycloud/sdk-core");
 // src/delegation.ts
 function serializeDelegation(delegation) {
@@ -3083,7 +3799,6 @@ function deserializeDelegation(data) {
 }
 // src/core.ts
-var import_sdk_core9 = require("@tinycloud/sdk-core");
 var import_sdk_core10 = require("@tinycloud/sdk-core");
 var import_sdk_core11 = require("@tinycloud/sdk-core");
 var import_sdk_core12 = require("@tinycloud/sdk-core");
@@ -3092,6 +3807,7 @@ var import_sdk_core14 = require("@tinycloud/sdk-core");
 var import_sdk_core15 = require("@tinycloud/sdk-core");
 var import_sdk_core16 = require("@tinycloud/sdk-core");
 var import_sdk_core17 = require("@tinycloud/sdk-core");
+var import_sdk_core18 = require("@tinycloud/sdk-core");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ACCOUNT_REGISTRY_PATH,
@@ -3117,8 +3833,10 @@ var import_sdk_core17 = require("@tinycloud/sdk-core");
   PermissionNotInManifestError,
   PrefixedKVService,
   ProtocolMismatchError,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService,
+  SecretsService,
   ServiceContext,
   SessionExpiredError,
   SharingService,
@@ -3129,11 +3847,13 @@ var import_sdk_core17 = require("@tinycloud/sdk-core");
   TinyCloud,
   TinyCloudNode,
   UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE,
   VaultHeaders,
   VaultPublicSpaceKVActions,
   VersionCheckError,
   WasmKeyProvider,
   buildSpaceUri,
+  canonicalizeSecretScope,
   checkNodeInfo,
   composeManifestRequest,
   createCapabilityKeyRegistry,
@@ -3145,12 +3865,15 @@ var import_sdk_core17 = require("@tinycloud/sdk-core");
   defaultSpaceCreationHandler,
   deserializeDelegation,
   expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   isCapabilitySubset,
   loadManifest,
   makePublicSpaceId,
   parseExpiry,
   parseSpaceUri,
   resolveManifest,
+  resolveSecretPath,
   resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
   validateManifest